| Entities | New York (10) |
| Topics and Issues | Cybersecurity (7) |
In June 2023, the NY DFS issued Revised Proposed Second Amendment to 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies. This revised proposal is marked up. The Department also issued a:
- Notice of Revised Rulemaking
- Regulatory Impact Statement for the Revised Proposed Second Amendment to 23 NYCRR Part 500 (“Part 500”)
- Assessment of Public Comments on the Proposed Second Amendment to 23 NYCRR 500.
Resources:
- Hunton Blog (July 5, 2023) on the DFS Revised Proposed Second Amendment to 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies issued in June 2023.
- In January 2023, CDIA filed a comment to the November 2022 second proposed amendments. In that comment, CDIA wrote that (1) DFS should reconsider imposing additional cybersecurity requirements on financial institutions that have recently been in the process of rebuilding their information security programs; (2) DFS should address specific areas of textual vagueness; and (3) The regulation should permit independent audits by internal audit teams.
- Hunton Blog (Nov. 23, 2022) on the DFS second proposed amendments to its cybersecurity rule issued in November 2022.
- DFS Proposed Second Amendment to DFS’s Cybersecurity Regulation (Nov. 9, 2023).
- DFS press release (Nov. 9, 2023)
- DFS Assessment of Public Comments to the August 2022 rulemaking (Likely Nov. 9, 2023).
- DFS website for its Proposed Second Amendment to 23 NYCRR Part 500 (Likely Nov. 9, 2023).
- Hunton blog (August 15, 2022) on the DFS amendments to its cybersecurity rules.
- The U.S. Chamber filed a comment in August 2023 in connection with the DFS Revised Proposed Second Amendment to 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies issued in June 2023.
- CDIA filed a comment in August 2022 in connection with this initial rulemaking. CDIA made the following points in the comment: “In short, the pre-proposed amendments raise more than a few initial questions and concerns, not least of which is the propriety of imposing potentially new cybersecurity requirements on businesses at a time when many are actively assessing and revising their cybersecurity programs for compliance with new Federal Trade Commission (FTC) Safeguards Rule requirements, which may or may not overlap with DFS’s pre-proposals. Should DFS decide to move forward, we urge the agency to afford sufficient process and time for formal comment and review as well as implementation should any amendments ultimately become effective.”
- CDIA filed a comment in January 2017 in the revised rulemaking for cybersecurity for financial institutions.
- The U.S. Chamber of Commerce filed comments in January 2023 and in August 2023.